AAMI News October 2017

Six Factors Essential for Mitigating Cyber Risks in Healthcare

Kevin Fu is chief scientist of Virta Laboratories and director of the Archimedes Center for Medical Device Security at the University of Michigan. Juuso Leinonen is a project engineer with the Health Devices Group at ECRI Institute. Ben Ransford is CEO and head of engineering at Virta Laboratories. Harold Thimbleby is a professor of computer science at Swansea University in Wales. Portions of this article were originally published in June by Healthcare IT News.

Using Your CMMS for Cybersecurity Activities

HTM professionals can support security activities by capturing specific information in their computerized maintenance management system (CMMS). During the preventive maintenance of networked medical devices, HTM professionals should:

Identify if an operating system or software update is available.

Determine whether the update has been validated by the device manufacturer.

Install the update, if practical.

Update the device’s antivirus software according to the manufacturer’s instructions, if applicable.

Insert the updated device software version in the CMMS.

Verify the device’s MAC address (and other networking details as appropriate) in the CMMS.

HTM and IT staff should jointly conduct periodic reviews of each connected medical device to determine whether any additional security steps should be taken.

Resource for You

AAMI’s updated guide, Computerized Maintenance Management Systems for Healthcare Technology Management, helps HTM professionals get the most out of their CMMS. It is available in the AAMI Store, www.aami.org/store.

Recent ransomware attacks have shown that malware can force entire health systems to interrupt their clinical workflow. But ransomware in and of itself is not the cause of our problems. Ransomware is just a symptom of design flaws baked into the fabric of our healthcare infrastructure.

The next attack could happen at any time, with less than a few milliseconds of warning. Therefore, it is not effective to simply react to new ransomware. Medical devices and healthcare delivery organizations (HDOs) must be designed to be highly tolerant of ransomware attacks and remain available. So, what is an effective strategy for mitigating the medical device security risks that can disrupt clinical operations?

Simply deploying new technology is not the answer. Resources are already stretched at healthcare facilities, making replacement of all devices with legacy software impractical. Furthermore, replacing old hard-to-secure medical devices with new hard-to-secure medical devices is not a great idea either. An effective approach must address six core parts of the healthcare delivery supply chain.

1. ManufacturingFirst, medical device manufacturers must design medical devices to remain safe and effective in the face of cybersecurity risks. The Food and Drug Administration already recognizes consensus standards and best practices, such as AAMI TIR57, Principles for medical device security—Risk management, for building security into the design of medical devices.

When device manufacturers and suppliers fail to follow these best practices, hospitals bear the consequences. Developers that used Microsoft Windows XP as an operating system were warned at the date of purchase of its scheduled obsolescence in 2014, yet manufacturers have continued to release devices that run on XP platforms. In some cases, these products were the best or only available choice for hospitals to meet their clinical needs. These HDOs now face the prospect of managing a large pool of legacy equipment that is no longer supported from a security standpoint. In the long term, the only way to flush out the unsupported software is for HDOs to commit to a timeline for sunsetting these devices.

2. ProcurementWhen purchasing medical devices, hospitals should keep security capabilities in mind whenever possible, using procurement practices like those described in the cybersecurity “vendor book” produced by the Mayo Clinic. (This resource is available by request from the Mayo Clinic’s Clinical Information Security Group. Additionally, AAMI members can get a copy of the cybersecurity contract language used by Mayo in the January/February 2016 issue of BI&T, available at www.aami.org/bit.)

Manufacturers also should support security-informed procurement by providing adequate information to the purchasing organization. Items such as a Manufacturer Disclosure Statement for Medical Device Security, or MDS2 form; network diagrams; and a bill of software materials enable hospitals to make informed, risk-based purchasing decisions.

Furthermore, talking with a vendor as early as possible about security can help hospitals understand the vendor’s approach. Is getting information about security capabilities a constant uphill battle, or is the company transparent and responsive? Knowing this information up front can aid in the procurement process because when the next round of malware hits, hospitals will need vendors that are responsive and provide the information and tools to effectively tackle it. Responsiveness to ongoing threats is likely as important as the security capabilities of the products themselves.

3. Ongoing ManagementThe useful life of medical devices can range from 7–10 years or even more. Ventilators and infusion pumps old enough to vote aren’t uncommon in many resource-strapped facilities. The age of these devices complicates a hospital’s ability to secure them. Even if a piece of equipment is securable today, it may fall into the hard-to-secure legacy device bucket in a few years. Thus, it is advisable to have processes in place to update software both on a routine basis and in response to critical threats.

In addition, facilities need a plan to assess the associated risks of their devices as the environment evolves, as well as one to assess the clinical workflow implications of security-related modifications. “Just take it off the network” is generally not a realistic clinical solution because draconian measures can unacceptably impact workflow, business operations, and/or care delivery.

4. RegulationMalware does not respect international boundaries, so regulators around the world must apply a consistent approach to security. The same core cybersecurity problems exist everywhere, and healthcare information technology (IT) cultures in different countries suffer from surprisingly similar computing problems.

5. TrainingAll hospital staff should receive cybersecurity training because security requires constant vigilance at all levels. It is imperative to remember that most of the incidents that have been reported involve human error and phishing tactics rather than a failure of security capabilities. While technology controls are vital as the primary means for continuous prevention of security threats, staff training and awareness can provide an additional layer of protection.

Workforce shortfalls also remain a great barrier to cybersecurity. Few computer science students choose to work in healthcare. We need to focus attention on the great opportunity for computer science students to help improve healthcare—double major in biomedical engineering! Manufacturers and governments should offer prestigious graduate fellowships to attract the best students to the field so manufacturers, hospitals, and regulators can fill open cybersecurity positions with qualified candidates.

6. GovernanceFinally, HDOs need an effective governance structure for controlling software safety risks in medical devices. A hospital should designate a top-level executive with the authority, responsibility, accountability, and budget to implement necessary cybersecurity measures in the pursuit of healthcare safety. This governance should span the IT department, as well as healthcare technology management (HTM), as it is paramount to understand both sides to effectively tackle cybersecurity in a healthcare setting.